Level 7
Did you pass the token with your request in the header? I had a similar problem where submit the token as payload simply don't work.
Jan 13, 2015
9
Level 1
L5 - Request to a subdomain is causing the session to be regenerated
EDIT - I created a git repo that show this problem in action. https://github.com/valeryan/L5sessiontest
TLDR - Session are not working across subdomains for me in L5 with session domain set to .example.com
So I have been building some test applications using the Laravel development branch. My application has a main domain like 'example.com' and a Restful API at 'api.example.com'. Anytime I try to make a request to the API I get a token mismatch exception. I disable the verify token middleware of course my request goes through. I could not find any weird problems with any of the code that handles all the verification stuff on the Laravel side, but when I opened the session storage folder in my application I had like 50 session files. I noticed that anytime I refreshed a page with an api request in it a new session gets generated. if the page has 2 request two new session get generated ect... The request are made via ajax. I can move my API routes to example.com/api and session work just fine. I can browse to api.example.com and session work find that way. I have a session domain set to .example.com in my config so that the session is shared between these domians. The API and main site are running on the same Laravel code that I just download form git yesterday. I am also passing CORS headers to allow the request. if I turn of the token verification the calls work but the session is still regenerated so things like auth don't persist.
I did not have any issues with dividing up my API like this in L4. Has anyone else ran into an issue like this with Laravel 5?
Level 65
Probably the domain part of the session not linking over. Have you checked what both sites show under the domain part of the cookie client side?
Level 1
Yes the encrypted token is passed in the header and the sessions are all being created under .example.com domain. The token mismatch is because Laravel is generating a new session with each request. If i disable token verification I still get the problem with a new session for each ajax request. Thanks for the replies though. I will try to put together a small code test that showcases the problem better.
Level 1
Ok so I created a laravel repo with a basic recreation of my problem. https://github.com/valeryan/L5sessiontest The readme explains the setup.
Level 65
Level 35
Update: Disregard this comment, I just noticed in your example repo that you already did this.
Maybe you need to set or change the session domain in config/session.php?
/*
|--------------------------------------------------------------------------
| Session Cookie Domain
|--------------------------------------------------------------------------
|
| Here you may change the domain of the cookie used to identify a session
| in your application. This will determine which domains the cookie is
| available to in your application. A sensible default has been set.
|
*/
'domain' => null,
Level 1
Thanks Bashy, That does appear to fix the problem. I have update the repo with the fix if anyone wants to see what I had to change.
Level 2
@valeryan I face this exact problem now. Your repo is down.
I tried telling xhr to send withCredentials I don't know if this was your fix, but I've read that somewhere. However, it does not fix my problem.
Can you help?
Level 1
Hey canfiax,
Many things have changed. Ultimately my issues were a mix of cors, origin and header problems. I solved the cors side by using https://github.com/barryvdh/laravel-cors and on the javascript side I use the solution from http://stackoverflow.com/questions/13002038/setting-a-cookie-on-a-subdomain-from-an-ajax-request.
Good luck
Please or to participate in this conversation.